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>) AEMO 


Term 


Access 


Definition 


Ability and means to enter a facility, 
to communicate with or otherwise 
interact with a system, to use 
system resources to handle 
information, to gain knowledge of 
the information the system 
contains, or to control system 
components and functions. 


Source 


Adapted from CNSSI 
4009 


Access control 


Limiting access to organisational 
assets only to authorised entities 
(e.g., users, programs, processes, 
or other systems). See asset. 


Adapted from CNSSI 
4009 


Access management 


Management processes to ensure 
that access granted to the 
organisation's assets is 
commensurate with the risk to 
critical infrastructure and 
organisational objectives. See 
access control and asset. 


Adapted from CERT 
RMM 
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Ad hoc 


Definition 


In the context of this model, ad hoc 
(i.e., an ad hoc practice) refers to 
performing a practice in a manner 
that depends largely on the 
initiative and experience of an 
individual or team (and team 
leadership), without much in the 
way of organisational guidance in 
the form of a prescribed plan 
(verbal or written), policy, or 
training. The methods, tools, and 
techniques used, the priority given 
a particular instance of the practice, 
and the quality of the outcome may 
vary significantly depending on who 
is performing the practice, when it 
is performed, and the context of the 
problem being addressed. With 
experienced and talented 
personnel, high-quality outcomes 
may be achieved even though 
practices are ad hoc. However, 
because lessons learned are 
typically not captured at the 
organisational level, approaches 
and outcomes are difficult to repeat 
or improve across the organisation. 


Source 


ES-C2M2 


Advanced metering 
infrastructure (AMI) 


Advanced Metering Infrastructure 
(AMI) refers to systems that 
measure, collect, and analyse 
energy usage, from advanced 
devices such as 'smart' electricity 
meters, gas meters, and/or water 
meters, through various 
communication media on request or 
on a predefined schedule. 


Adapted from SGMM 
v1.1 Glossary 


3|Page 


© 2023 Australian Energy Market Operator Limited. The material in this publication may be used in accordance with the 
copyright permissions on AEMO’s website. 


=) AEMO 


Term 


Anomalous 


Definition 


Inconsistent with or deviating from 
what is usual, normal, or expected. 


Source 


Merriam- Webster.com 


Anomaly 


See anomalous. 


Merriam- Webster.com 


Asset 


Something of value to the 
organisation. Assets include many 
things, including technology, 
information, roles performed by 
personnel, and facilities. For the 
purposes of this model, assets to 
be considered are IT and OT 
hardware and software assets, as 
well as information essential to 
operating the function. 


ES-C2M2 


Asset owner 


A person or organisational unit, 
internal or external to 

the organisation, that has primary 
responsibility for the viability, 
productivity, and resilience of an 
organisational asset. 


CERT RMM 


Australian Energy 
Market Operator 
(AEMO) 


The Australian Energy Market 
Operator (AEMO) is responsible for 
operating Australia's largest gas 
and electricity markets and power 
systems, including the National 
Electricity Market (NEM), the 
interconnected power system in 
Australia's eastern and south- 
eastern seaboard and Wholesale 
Electricity Market (WEM) and 
power system in Western 
Australia. 


aemo.com.au 


Australian Energy 
Regulator (AER) 


The AER regulates wholesale and 
retail energy markets, and energy 
networks, under national energy 
legislation and rules. The AER 
functions mostly relate to energy 
markets in eastern and 

southern Australia 


aer.gov.au 


Authentication 


Verifying the identity of a user, 
process, or device, often as a 
prerequisite to allowing access to 
resources in an IT or ICS. 


DOE RMP 
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=) AEMO 


Term 


Authenticator 


Definition 


The means used to confirm the 
identity of a user, processor, or 
device (e.g., user password or 

token). 


Source 


NIST 800-53 


Availability 


Ensuring timely and reliable access 
to and use of information. For an 
asset, the quality of being 
accessible to authorised users 
(people, processes, or devices) 
whenever it is needed. 


DOE RMP & CERT 
RMM 


Business impact 
analysis 


A business impact analysis (BIA) is 
the process of determining the 
criticality of business activities and 
associated resource requirements 
to ensure operational resilience and 
continuity of operations during and 
after a business disruption. The BIA 
quantifies the impacts of disruptions 
on service delivery, risks to service 
delivery, and recovery time 
objectives (RTOs) and recovery 
point objectives (RPOs). These 
recovery requirements are then 
used to develop strategies, 
solutions, and plans. 


Adapted from Gartner 


(change 
management) 


changes to information or 
technology assets, related 
infrastructure, or any aspect of 
services, enabling approved 
changes with minimum disruption. 


Capacity Maximum electric output an AESCSF 
electricity generator can produce 
under specific conditions. 

Change control A continuous process of controlling | CERT RMM 
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=) AEMO 


Term Definition Source 


Commercial customer | An entity engaged in establishing AESCSF 
and maintaining; 


e Any utility (water, gas, 
telecommunications) that is 
not a critical customer (see 
critical customer); 

e Hospitals, aged-care 
facilities (including any 
individual customer who has 
life-support equipment 
located at their residential 
address); 

e Traffic lights and emergency 
services (Police, fire, 
ambulance); 

e Heavy industry; 

e Cold storage facilities; 

e Food 
processing/fresh producers; 

e Sporting stadiums; 

e Large shopping 
centres, and; 

e Large office buildings. 

This list is provided as a 
guide only, and is not an 
exhaustive list of 
commercial customer 


types. 
Computer security A violation or imminent threat of NIST 800-61 (computer 
incident violation of computer security security incident) 


policies, acceptable use policies, or 
standard security practices. An 
‘imminent threat of violation’ refers 
to a situation in which the 
organisation has a factual basis for 
believing that a specific incident is 
about to occur. For example, the 
antivirus software maintainers may 
receive a bulletin from the software 
vendor, warning them of new 
malware that is rapidly spreading 
across the Internet. Also, see 
incident. 
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Term 


Confidentiality 


Definition 


The preservation of authorised 
restrictions on information access 
and disclosure, including means for 
protecting personal privacy and 
proprietary information. For an 
information asset, confidentiality is 
the quality of being accessible only 
to authorised people, processes, 
and devices. 


Source 


DOE RMP & Adapted 
from CERT RMM 


Configuration 
baseline 


A documented set of specifications 
for an IT or OT system or asset, or 
a configuration item within a 
system, that has been formally 
reviewed and agreed upon ata 
given point in time, and which 
should be changed only through 
change control procedures. The 
configuration baseline is used as a 
basis for future builds, releases, 
and/or changes. 


Adapted from NIST 800- 
53 Glossary 


Configuration 
management 


A collection of activities focused on 
establishing and maintaining the 
integrity of assets, through control 
of the processes for initialising, 
changing, and monitoring the 
configurations of those assets 
throughout their life cycle. 


NIST SP 800-128 


Contingency plan 


Management policy and procedures 
used to guide an enterprise 
response to a perceived loss of 
mission capability. The contingency 
plan is the first plan used by the 
enterprise risk managers to 
determine what happened, why, 
and what to do. It may point to the 
continuity of operations plan or 
disaster recovery plan for major 
disruptions. 


CNSSI 4009 


7|Page 


© 2023 Australian Energy Market Operator Limited. The material in this publication may be used in accordance with the 
copyright permissions on AEMO’s website. 


=) AEMO 


Term 


Continuous 
monitoring 


Definition 


Maintaining ongoing awareness of 
the current cyber security state of 
the function throughout the 
operational environment by 
collecting, analysing, alarming, 
presenting, and using power 
system and cyber security 
information to identify anomalous 
activities, vulnerabilities, and 
threats to the function in order 

to support incident response and 
organisational risk management 
decisions. 


Source 


Adapted from NIST 800- 
137 


Controls 


The management, operational, and 
technical methods, policies, and 
procedures-manual or automated- 
(i.e., Safeguards or 
countermeasures) prescribed for an 
IT and ICS to protect the 
confidentiality, integrity, and 
availability of the system and its 
information. 


DOE RMP 


Credential 


An object or data structure that 
authoritatively binds an identity 
(and optionally, additional 
attributes) to a token possessed 
and controlled by a Subscriber. 


NIST SP 800-63-2 


Criticality Assessment 
Tool (CAT) 


The Criticality Assessment Tool is a 
tool used to assess the relative 
criticality of entities participating 
within Australian electricity and/or 
gas markets. This includes the 
electricity and gas markets 
operated by the Australian Energy 
Market Operator (AEMO) including; 


e the National Electricity 


Market (NEM), 

e the Wholesale Electricity 
Market (WEM), 

e the Declared Wholesale 
Gas Market (DWGM), 


e the Short Term Trading 
Market (STTM) and the, 
e Gas Supply Hub (GSH). 


AESCSF 
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=) AEMO 


Term Definition Source 


Critical customer Any customer that operates a AESCSF 
critical infrastructure asset. See 
critical infrastructure. 


Critical electricity A network, system, or SOCI, Section 10 (2018) 
asset interconnector, for the transmission 
or distribution of electricity to 
ultimately service at least 100,000 
customers or an electricity 
generator station that is critical to 
ensuring the security and reliability 
of electricity networks or electricity 
systems in a State or Territory 


Critical infrastructure | Critical Infrastructure are pieces of | SOCI, Section 9 (2018) 
infrastructure that would have a 
significant impact to Australia if they 
were disrupted. The Security of 
Critical Infrastructure Act (SOCI) 
defines Critical Infrastructure as: 

An asset is a critical infrastructure 
asset if it is: 

(a) acritical electricity asset; or 

(b) acritical port; or 

(c) acritical water asset; or 

(d) acritical gas asset; or 

(e) an asset declared under 
section 51 (of the act) to be a 
critical infrastructure asset; or 

(f) an asset prescribed by the rules 
for the purposes of this paragraph. 


Crude oil petroleum as it occurs naturally, as | Merriam- Webster.com 
it comes from an oil well, or after 
extraneous substances (as 
entrained water, gas, and minerals) 
have been removed 


Current Updated at an organisation-defined | ES-C2M2 
frequency (e.g., as in the asset 
inventory is kept 'current’) that is 
selected such that the risks to 
critical infrastructure and 
organisation objectives associated 
with being out-of-date by the 
maximum interval between updates 
are acceptable to the organisation 
and its stakeholders. 
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=) AEMO 


Term 


Customer 


Definition 


Any individual (or entity) who 
purchases a non-commercial 
quantity of electricity. See 
commercial customer. 


Source 


AESCSF 


Cyber attack 


An attack, via cyberspace, targeting 
an enterprise's use of cyberspace 
for the purpose of disrupting, 
disabling, destroying, or maliciously 
controlling a computing 
environment/infrastructure, or for 
destroying the integrity of the data 
or stealing controlled information. 


DOE RMP 


Cyber security 


The ability to protect or defend the 
use of cyberspace from cyber- 
attacks. Measures taken to protect 
a computer or computerised system 
(IT and OT) against unauthorised 
access or attack. 


DOE RMP and Merriam- 
Webster.com 


Cyber security 
architecture 


An integral part of the enterprise 
architecture that describes the 
structure and behaviour for an 
enterprise's security processes, 
cyber security systems, personnel, 
and subordinate organisations, 
showing their alignment with the 
organisation's mission and strategic 
plans. See enterprise architecture 
and network architecture. 


DOE RMP 


Cyber security event 


Any observable occurrence in a 
system or network that is related to 
a cyber security requirement 
(confidentiality, integrity, or 
availability). See also event. 


ES-C2M2 


Cyber security impact 


The effect on the measures that are 
in place to protect from and defend 
against cyber-attack. 


ES-C2M2 


Cyber security plan 


Formal document that provides an 
overview of the cyber security 
requirements for an IT and ICS and 
describes the cyber security 
controls in place or planned for 
meeting those requirements. 


DOE RMP 


Cyber security policy 


A set of criteria for the provision of 
security services. 


DOE RMP 
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Term Definition Source 
Cyber security A cyber security program is an ES-C2M2 
program integrated group of activities 


designed and managed to meet 
cyber security objectives for the 
organisation and/or the function. A 
cyber security program may be 
implemented at either the 
organisation or the function level, 
but a higher-level implementation 
and enterprise viewpoint may 
benefit the organisation by 
integrating activities and leveraging 
resource investments across the 
entire enterprise. 


Cyber security A plan of action designed to CERT RMM 
program strategy achieve the performance targets 
that the organisation sets to 
accomplish its mission, vision, 
values, and purpose for the cyber 
security program. 


Cyber security Requirements levied on IT and OT | Adapted from DOE 
requirements that are derived from organisational | RMP 

mission and business case needs 
(in the context of applicable 
legislation, Executive Orders, 
directives, policies, standards, 
instructions, regulations, 
procedures) to ensure the 
confidentiality, integrity, and 
availability of the services being 
provided by the organisation and 
the information being processed, 
stored, or transmitted. 


Cyber security Obligations for ensuring the ES-C2M2 
responsibilities organisation's cyber security 
requirements are met. 


Cyber security risk The risk to organisational DOE RMP 
operations (including mission, 
functions, image, reputation), 
resources, and other organisations 
due to the potential for 
unauthorised access, use, 
disclosure, disruption, modification, 
or destruction of information and/or 
IT and ICS. See risk. 
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=) AEMO 


Term 


Cyber security 
workforce 
management 
objectives 


Definition 


Performance targets for personnel 
with cyber security responsibilities 
that the organisation sets to meet 
cyber security requirements. 


Source 


Adapted from CERT 
RMM 


Defined practice 


A practice that is planned (i.e., 
described, explained, made definite 
and clear, and standardised) and is 
executed in accordance with the 
plan. 


Adapted from CERT 
RMM 


Dependency risk 


Dependency risk is measured by 
the likelihood and severity of 
damage if an IT or OT system is 
compromised due to a supplier or 
other external party on which 
delivery of the function depends. 
Evaluating dependency risk 
includes an assessment of the 
importance of the potentially 
compromised system and the 
impact of compromise on 
organisational operations and 
assets, individuals, other 
organisations, and the Nation. See 
upstream dependencies and supply 
chain risk. 


Adapted from NIST 
7622, pg. 10 


Depot (storage depot) 


A place where large amounts of 
raw materials, equipment, arms, or 
other supplies are kept until they 
are needed. 


Collinsdictionary.com 


Deprovisioning 


The process of revoking or 
removing an identity's access to 
organisational assets. See also 
provisioning. 


CERT RMM 


Service Provider 
(DNSP) 


and the wires that transport from 
distribution centres to end-use 
consumers. Also, provider of 
technical services, including 
construction of power lines, 
inspection of equipment, 
maintenance, and street lighting. 


Distribution The delivery of energy to retail Adapted from EIA 
customers (e.g., homes, Glossary 
businesses, industry, government 
facilities). 

Distribution Network Owner and operator of substations | AESCSF 
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=) AEMO 


Term Definition Source 


Domain In the context of the model ES-C2M2 
structure, a domain is a logical 
grouping of cyber security 
practices. 


Domain objectives The practices within each domain ES-C2M2 
are organised into objectives. The 
objectives represent achievements 
that support the domain (such as 
‘Manage Asset Configuration’ for 
the ACM domain and ‘Increase 
Cyber security Awareness’ for the 
WM domain). Each of the 
objectives in a domain comprises a 
set of practices, which are ordered 
by maturity indicator level. 


Downstream External parties dependent on the ES-C2M2 
dependencies delivery of the function, such as 

customers and some operating 

partners. 
DWGM Declared Wholesale Gas Market AEMO 


(DWGM) is a wholesale market that 
enables competitive and dynamic 
trading of gas injections and 
withdrawals from the Declared 
Transmission System (DTS), which 
link producers, storage providers, 
interconnected pipelines, major 
users, and retailers. 


DTS Declared Transmission System - AEMO 
link producers, storage providers, 
interconnected pipelines, major 
users, and retailers. 


E-CAT The Electricity-specific Criticality AESCSF 
Assessment Tool (CAT). See 
Criticality Assessment Tool (CAT). 


EMM Energy Ministers' Meeting and also | AESCSF 
associated with Energy Ministers 
Meeting Report 
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Term 


Electrical substation 


Definition 


Electrical substations act as 
connection points between the 
electricity networks and electricity 
generators, large load customers, 
and the lower voltage distribution 
network it serves (including switch 
yards). 


Source 


AESCSF 


Electricity sector 
information sharing 
and 

analysis center (ES- 
ISAC) 


The Electricity Sector Information 
Sharing and Analysis Center (ES- 
ISAC) shares critical information 
with industry participants about 
infrastructure protection. The ES- 
ISAC serves the electricity sector 
by facilitating communications 
between electricity sector 
participants, federal governments, 
and other critical infrastructures. It 
is the job of the ES-ISAC to 
promptly disseminate threat 
indications, vulnerabilities, 
analyses, and warnings, together 
with interpretations, to help 
electricity sector participants take 
protective actions. See Information 
Sharing and 

Analysis Center (ISAC). 


Adapted from Electricity 
Sector Information 
Sharing and 

Analysis Center (ES- 
ISAC) website 

home page 


Electricity subsector 


A portion of the energy sector that 
includes the generation, 
transmission, and distribution of 
electricity. 


ES-SPP 


Enterprise 


The largest (i.e., highest-level) 
organisational entity to which the 
organisation participating in the 
AESCSF survey belongs. For some 
participants, the organisation taking 
the survey is the enterprise itself. 
See organisation. 


Adapted from SGMM 
v1.1 Glossary 
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=) AEMO 


Term Definition Source 
Enterprise The design and description of an DOE RMP (but changed 
architecture enterprise's entire set of IT and OT: | ICS to OT) 


how they are configured, how they 
are integrated, how they interface 
to the external environment at the 
enterprise's boundary, how they are 
operated to support the enterprise 
mission, and how they contribute to 
the enterprise's overall security 
posture. See cyber security 
architecture and network 
architecture. 


Entity Something having separate or Merriam- Webster.com 
distinct existence. 


Essential user If fuel rationing is needed during a | Energy.gov.au, Liquid 
liquid fuel emergency, some Fuel Emergency Act 
essential goods and services need | 1984 

to continue to be made available to 
avoid seriously damaging the 
health or safety of the community. 
The providers of these essential 
goods and services are known as 
‘essential users’. Essential users 
may be exempted from rationing 
during an emergency. They are: 

e Australian defence services 
ambulance services 
corrective services 
fire or rescue services 
police services 
public transport services 
state emergency services or 
equivalent organisations 
e taxi services 


Establish The development and maintenance | CERT RMM 
and maintain of the object of the practice (such 
as a program). For example, 
‘Establish and maintain identities’ 
means that not only must identities 
be provisioned, but they also must 
be documented, have assigned 
ownership, and be maintained 
relative to corrective actions, 
changes in requirements, or 
improvements. 
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Event 


Definition 


Any observable occurrence in a 
system or network. Depending on 
their potential impact, some events 
need to be escalated for response. 
To ensure consistency, criteria for 
response should align with the 
organisation's risk criteria. 


Source 


NIST 800-61 


Function 


The high-level electricity system 
activity or set of activities performed 
by the utility to which the model is 
being applied. Generally, the 
function will be generation, 
transmission, distribution, and/or 
markets. When using the AESCSF 
evaluation survey, the function is 
the organisational line-of-business 
(generation, transmission, 
distribution, or markets) that is 
being evaluated by completing the 
model. 


ES-C2M2 


G-CAT 


The Gas-specific Criticality 
Assessment Tool (CAT). See 
Criticality Assessment Tool (CAT). 


AESCSF 


Generation 


The process of producing electric 
energy by transforming other forms 
of energy; also, the amount of 
electric energy produced, 
expressed in kilowatt- hours. 


EIA Glossary 


Generation capacity 


Measured in Megawatts (MW) 


AESCSF 


Governance 


An organisational process of 
providing strategic direction for the 
organisation while ensuring that it 
meets its obligations, appropriately 
manages risk, and efficiently uses 
financial and human resources. 
Governance also typically includes 
the concepts of sponsorship 
(setting the managerial tone), 
compliance (ensuring that the 
organisation is meeting its 
compliance obligations), and 
alignment (ensuring that processes 
such as those for cyber security 
program management align with 
strategic objectives). 


Adapted from CERT 


RMM 
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=) AEMO 


Term 


GSH 


Definition 


Gas supply hub - an exchange for 
the wholesale trading of natural gas 


Source 


AEMO 


Guidelines 


A set of recommended practices 
produced by a recognised 
authoritative source representing 
subject matter experts and 
community consensus, or internally 
by an organisation. See standard. 


ES-C2M2 


Human Machine 
Interface (HMI) 


A Human Machine Interface 
consists of hardware and software 
that allow operators to monitor and 
control a process control 

system. An HMI enables people to 
support and interact with complex 
technological systems. 


AESCSF 


Identity 


The set of attribute values (i.e., 
characteristics) by which an entity 
is recognisable and that, within the 
scope of an identity manager's 
responsibility, is sufficient to 
distinguish that entity from any 
other entity. 


CNSSI 4009 


Impact 


Negative consequence to subsector 
functions. 


ES-C2M2 


Incident 


An event (or series of events) that 
significantly affects (or has the 
potential to significantly affect) 
critical infrastructure and/or 
organisational assets and services 
and requires the organisation (and 
possibly other stakeholders) to 
respond in some way to prevent or 
limit adverse impacts. See also 
computer security incident and 
event. 


Adapted from CERT 
RMM 
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Term 


Incident life cycle 


Definition 


The stages of an incident from 
detection to closure. Collectively, 
the incident life cycle includes the 
processes of detecting, reporting, 
logging, triaging, declaring, 
tracking, documenting, handling, 
coordinating, escalating, and 
notifying, gathering, and preserving 
evidence, and closing incidents. 
Escalated events also follow the 
incident life cycle, even if they are 
never formally declared to be 
incidents. 


Source 


Adapted from CERT 
RMM 


Information assets 


Information or data that is of value 
to the organisation, including 
diverse information such as 
operational data, intellectual 
property, customer information, and 
contracts. 


Adapted from CERT 
RMM 


Information sharing 
and 
analysis center (ISAC) 


An Information Sharing and 
Analysis Center (ISAC) shares 
critical information with industry 
participants on infrastructure 
protection. Each critical 
infrastructure industry has 
established an ISAC to 
communicate with its members, its 
government partners, and other 
ISACs about threat indications, 
vulnerabilities, and protective 
strategies. ISACs work together to 
better understand cross-industry 
dependencies and to account for 
them in emergency response 
planning. See Electricity Sector 
Information Sharing and 

Analysis Center (ES-ISAC). 


Adapted from Electricity 
Sector Information 
Sharing and 

Analysis Center (ES- 
ISAC) website 

home page 


Information 
technology (IT) 


A discrete set of electronic 
information resources organised for 
the collection, processing, 
maintenance, use, sharing, 
dissemination, or disposition of 
information. In the context of this 
publication, the definition includes 
interconnected or dependent 
business systems and the 
environment in which they operate. 


DOE RMP 
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=) AEMO 


Term Definition Source 


Institutionalisation The extent to which a practice or ES-C2M2 
activity is ingrained into the way an 
organisation operates. The more an 
activity becomes part of how an 
organisation operates, the more 
likely it is that the activity will 
continue to be performed over time, 
with a consistently high level of 
quality. (‘Incorporated into the 
ingrained way of doing business 
that an organisation follows 
routinely as part of its corporate 
culture.’ - CERT RMM). See also 
maturity indicator level. 


Integrity Guarding against improper DOE RMP & CERT 
information modification or RMM 

destruction. Integrity includes 
ensuring information 
nonrepudiation and authenticity. 
For an asset, integrity is the quality 
of being in the condition intended 
by the owner and therefore 
continuing to be useful for the 
purposes intended by the owner. 


Interconnector An interconnector is infrastructure AESCSF 
that connects the energy 
transmission systems of two 
regions, allowing energy (such as 
electricity or gas) to flow between 
them. 


Isolated Physically or logically independent | AESCSF 
from another. 


L-CAT The Liquid fuels-specific Criticality | AESCSF 
Assessment Tool (CAT). See 
Criticality Assessment Tool (CAT). 
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=) AEMO 


Term Definition Source 
Least privilege A security control that addresses Adapted from NIST 800- 
the potential for abuse of 53 


authorised privileges. The 
organisation employs the concept 
of least privilege by allowing only 
authorised access for users (and 
processes acting on behalf of 
users) who require it to accomplish 
assigned tasks in accordance with 
organisational missions and 
business 

functions. organisations employ the 
concept of least privilege for 
specific duties and systems 
(including specific functions, ports, 
protocols, and services). The 
concept of least privilege is also 
applied to information system 
processes, ensuring that the 
processes operate at privilege 
levels no higher than necessary to 
accomplish required organisational 
missions and/or 

functions. organisations consider 
the creation of additional 
processes, roles, and information 
system accounts as necessary to 
achieving least 

privilege. organisations also apply 
least privilege concepts to the 
design, development, 
implementation, and operations of 
IT and OT systems. 


Load The quantum of electricity delivered | AESCSF 
to, or demanded from, any one or 
more customers (including 
commercial and critical 
customers). 
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Term Definition Source 


Logging Logging typically refers to ES-C2M2 
automated recordkeeping (by 
elements of an IT or OT system) of 
system, network, or user activity. 
Logging may also refer to keeping a 
manual record (e.g., a sign-in 
sheet) of physical access by 
personnel to a protected asset or 
restricted area, although automated 
logging of physical access activity 
is commonplace. Regular review 
and audit of logs (manually or by 
automated tools) is a critical 
monitoring activity that is essential 
for situational awareness (e.g., 
through the detection of cyber 
security events or weaknesses). 


Logical control A software, firmware, or hardware | Adapted from CNSSI 
feature (i.e., computational logic, 4009 definition of 
not a physical obstacle) within an IT | ‘internal 

or OT system that restricts access | security controls’ 

to and modification of assets only to 
authorised entities. For contrast, 
see physical control. 


Markets Venues where participants buy and | FERC 
sell products and services. In the 
context of this model, 
markets refer to trading involving 
wholesale electricity. 


Maturity The extent to which an organisation | ES-C2M2 
has implemented and 
institutionalised the cyber security 
practices of the model. 
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Term 


Maturity indicator 
level (MIL) 


Definition 


A measure of the cyber security 
maturity of an organisation ina 
given domain of the model. The 
model currently defines four 
maturity indicator levels (MILs) and 
holds a fifth level in reserve for use 
in future versions of the model. 
Each of the four defined levels is 
designated by a number (0 through 
3) and a name, for example, 'MIL3: 
managed.’ A MIL is a measure of 
the progression within a domain 
from individual and team initiative, 
as a basis for carrying out cyber 
security practices, to organisational 
policies and procedures that 
institutionalise those practices, 
making them repeatable with a 
consistently high level of quality. As 
an organisation progresses from 
one MIL to the next, the 
organisation will have more 
complete or more advanced 
implementations of the core 
activities in the domain. 


Source 


ES-C2M2 


Monitoring 


Collecting, recording, and 
distributing information about the 
behaviour and activities of systems 
and persons to support the 
continuous process of identifying 
and analysing risks to 
organisational assets and critical 
infrastructure that could adversely 
affect the operation and delivery of 
services. 


Adapted from CERT 
RMM (monitoring and 
risk management) 


Monitoring 
requirements 


The requirements established to 
determine the information gathering 
and distribution needs of 
stakeholders. 


CERT RMM 
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Term 


Multifactor 
authentication 


Definition 


Authentication using two or more 
factors to achieve authentication. 
Factors include (i) something you 
know (e.g., password/PIN), (ii) 
something you have (e.g., 
cryptographic identification device, 
token), (iii) something you are (e.g., 
biometric), or (iv) you are where 
you say you are (e.g., GPS token). 
See authentication. 


Source 


Adapted from NIST 800- 
53 


National Electricity 
Market (NEM) 


Comprised of five physically 
connected regions on the east 
coast of Australia: Queensland, 
NSW (including ACT), Victoria, 
Tasmania, and South Australia. 


aemo.com.au 


National Gas Rules 


The rules set by the AEMC 
that apply to three types of 
wholesale gas markets: 


e gas supply hubs (GSH) 
(located in Wallumbilla, 
Queensland and Moomba, 
South Australia) 

e short term trading market 
hubs (STTM) (at Brisbane, 
Sydney, and Adelaide) 

e the declared wholesale gas 
market (DWGIM) in Victoria. 


AEMC 


Network architecture 


A framework that describes the 
structure and behaviour of 
communications among IT and/or 
OT assets and prescribes rules for 
interaction and interconnection. 
See enterprise architecture and 
cyber security architecture. 


Adapted from CNSSI 
4009 (IA architecture) 


Providers (NSP) 


NSP can refer to both a 
TNSP and DNSP. 


Network Services Operates electricity networks. An AESCSF 
Providers (NSP) NSP can refer to both a 

TNSP and DNSP. 
Network Services Operates electricity networks. An AESCSF 
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Term Definition Source 


Operating picture Real-time (or near-real-time) ES-C2M2 
awareness of the operating state of 
a system or function. An operating 
picture is formed from data 
collected from various trusted 
information sources that may be 
internal or external to the system or 
function (e.g., temperature, weather 
events and warnings, cyber security 
alerts). The operating picture may 
or may not be presented 
graphically. It involves the 
collection, analysis (including 
fusion), and distribution of what is 
important to know to make 
decisions about the operation of the 
system. A common operating 
picture (COP) is a single operating 
picture that is available to the 
stakeholders of the system or 
function so that all stakeholders can 
make decisions based on the same 
reported operating state. See 
common operating picture. 


Operating states See pre-defined states of ES-C2M2 
operation. 


Operational resilience | The organisation's ability to adapt CERT RMM 
to risk that affects its core 
operational capacities. Operational 
resilience is an emergent property 
of effective operational risk 
management, supported and 
enabled by activities such as 
security and business continuity. A 
subset of enterprise resilience, 
operational resilience focuses on 
the organisation's ability to manage 
operational risk, whereas enterprise 
resilience encompasses additional 
areas of risk such as business risk 
and credit risk. See the related term 
operational risk. 
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Term 


Operational risk 


Definition 


The potential impact on assets and 
their related services that could 
result from inadequate or failed 
internal processes, failures of 
systems or technology, the 
deliberate or inadvertent actions of 
people, or external events. In the 
context of this model, our focus is 
on operational risk from cyber 
security threats. 


Source 


Adapted from CERT 
RMM 


environment (or manage devices 
that interact with the physical 
environment). Examples include 
industrial control systems, building 
management systems, fire control 
systems, and physical access 
control mechanisms. 


Operational See operations technology. AESCSF 
technology 

Operations Programmable systems or devices | ES-C2M2 
technology (OT) that interact with the physical 


Organisation 


An organisation of any size, 
complexity, or positioning within an 
organisational structure that is 
charged with carrying out assigned 
mission and business processes 
and that uses IT and OT in support 
of those processes. In the context 
of the model, the organisation is the 
entity using the model or that is 
under examination. 


Adapted from DOE 
RMP 


Periodic 
review/activity 


A review or activity that occurs at 
specified, regular time intervals, 
where the organisation-defined 
frequency is commensurate with 
risks to organisational objectives 
and critical infrastructure. 


Adapted from SEI CMM 
Glossary 


Personal information 


Personal information includes a 
broad range of information, or an 
opinion, that could identify an 
individual. What is personal 
information will vary, depending on 
whether a person can be identified 
or is reasonably identifiable in the 
circumstances. 


Australian Government 
OAIC 
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Term Definition Source 
Personnel Employees of the organisation. This | AESCSF 
includes full time, part time, and 
contracted employees. 
Physical control A type of control that prevents CERT RMM 


physical access to, and 
modification of, information assets 
or physical access to technology 
and facilities. Physical controls 
often include such artifacts as card 
readers and physical barrier 
methods. 


Policy 


A high-level overall plan embracing 
the general goals and acceptable 
procedures of an organisation. 


Merriam- Webster.com 


that can be performed by an 
organisation to support a domain 
objective. The purpose of these 
activities is to achieve and sustain 
an appropriate level of cyber 
security for the function, 
commensurate with the risk to 
critical infrastructure and 
organisational objectives. 


Position description A set of responsibilities that ES-C2M2 
describe a role or roles filled by an 
employee. Also known as a job 
description. 

Practice An activity described in the model ES-C2M2 
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Term Definition Source 
Pre-defined states of Distinct operating modes (which ES-C2M2 
operation typically include specific IT and OT 


configurations as well as alternate 
or modified procedures) that have 
been designed and implemented 
for the function and can be invoked 
by a manual or automated process 
in response to an event, a changing 
risk environment, or other sensory 
and awareness data to provide 
greater safety, resiliency, reliability, 
and/or cybersecurity. For example, 
a shift from the normal state of 
operation to a high-security 
operating mode may be invoked in 
response to a declared cyber 
security incident of sufficient 
severity. The high-security 
operating state may trade off 
efficiency and ease of use in favour 
of increased security by blocking 
remote access and requiring a 
higher level of authentication and 
authorisation for certain commands 
until a return to the normal state of 
operation is deemed safe. 


Procedure In this model, procedure is ES-C2M2 
synonymous with process. 


Process A series of discrete activities or CERT RMM (Business 
tasks that contribute to the Process) 
fulfilment of a task or mission. 


Provisioning The process of assigning or CERT RMM 
activating an identity profile and its 
associated roles and access 
privileges. See 

also deprovisioning. 


Recovery Time Documented goals and ES-C2M2 
Objectives (RTO) performance targets the 
organisation sets for recovery of an 
interrupted function in order to meet 
critical infrastructure and 
organisational objectives. 
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Term 


Refinery 


Definition 


An organised and coordinated 
arrangement of manufacturing 
processes designed to produce 
physical and chemical changes in 
crude oil to convert it into everyday 
products like petrol, diesel, 
lubricating oil, fuel oil and bitumen. 


Source 


Australian Institute of 
Petroleum 


Region 


An AEMO defined term, there are 
five Regions in the NEM. The NEM 
regions are: QLD, NSW, VIC, SA, 
and TAS. 


aemo.com.au 


Retailers 


Electricity retailers buy electricity at 
spot price and on-sell it to end-use 
customers. 


AESCSF 


Risk 


A measure of the extent to which 
an organisation is threatened by a 
potential circumstance or event, 
and typically a function of (1) the 
adverse impacts that would arise if 
the circumstance or event occurs 
and (2) the likelihood of 
occurrence. 


DOE RMP 


Risk analysis 


A risk management activity focused 
on understanding the condition and 
potential consequences of risk, 
prioritising risks, and determining a 
path for addressing risks. 
Determines the importance of each 
identified risk and is used to 
facilitate the organisation's 
response to the risk. 


Adapted from CERT 
RMM 


Risk assessment 


The process of identifying risks to 
organisational operations (including 
mission, functions, image, 
reputation), resources, other 
organisations, and the Nation, 
resulting from the operation of an IT 
and ICS. 


DOE RMP 


Risk criteria 


Objective criteria that the 
organisation uses for evaluating, 
categorising, and prioritising 
operational risks based on impact, 
tolerance for risk, and risk response 
approaches. 


ES-C2M2 
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Term 


'position risk 
designation’ 


Risk designation, as in 


Definition 


An indication, such as high, 
medium, or low, of the position's 
potential for adverse impact to the 
efficiency, integrity, or availability of 
the organisation's services. 


Source 


Adapted from OPM 


Risk disposition 


A statement of the organisation's 
intention for addressing an 
operational risk. Typically limited to 
‘accept,’ ‘transfer,’ 'research,' or 
‘mitigate.’ 


CERT RMM 


Risk management 
program 


The program and supporting 
processes to manage cyber 
security risk to organisational 
operations (including mission, 
functions, image, and reputation), 
resources, other organisations, and 
the Nation. It includes (1) 
establishing the context for risk- 
related activities, (2) assessing risk, 
(3) responding to risk once 
determined, and (4) monitoring risk 
over time. 


DOE RMP 


Risk management 
strategy 


Strategic-level decisions on how 
senior executives manage risk to 
an organisation's operations, 
resources, and other 
organisations. 


DOE RMP 


Risk mitigation 


Prioritising, evaluating, and 
implementing appropriate risk- 
reducing controls. 


DOE RMP 


Risk mitigation plan 


A strategy for mitigating risk that 
seeks to minimise the risk to an 
acceptable level. 


CERT RMM 


Risk parameter/risk 
parameter factors 


Organisation-specific risk 
tolerances used for consistent 
measurement of risk across the 
organisation. Risk parameters 
include risk tolerances and risk 
measurement criteria. 


CERT RMM 


Risk register 


A structured repository where 
identified risks are recorded to 
support risk management. 


ES-C2M2 
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Term 


Risk response 


Definition 


Accepting, avoiding, mitigating, 
sharing, or transferring risk to 
organisational operations, 
resources, and other 
organisations. 


Source 


DOE RMP 


Risk taxonomy 


The collection and cataloguing of 
common risks that the organisation 
is subject to and must manage. The 
risk taxonomy is a means for 
communicating these risks and for 
developing mitigation actions 
specific to an organisational unit or 
line-of-business if operational 
assets and services are affected by 
them. 


Adapted from CERT 
RMM 


Role 


A group attribute that ties 
membership to function. When an 
entity assumes a role, the entity is 
given certain rights that belong to 
that role. When the entity leaves 
the role, those rights are removed. 
The rights given are consistent with 
the functionality that the entity 
needs to perform the expected 
tasks. 


CNSSI 4009 


SCADA 


Supervisory Control and Data 
Acquisition is an industrial 
computer system for process 
control and gathering of data in real 
time from remote locations in order 
to control equipment and 
conditions. 


AESCSF 


Secure software 
development 


Developing software using 
recognised processes, secure 
coding standards, best practices, 
and tools that have been 
demonstrated to minimise security 
vulnerabilities in software systems 
throughout the software 
development life cycle. An essential 
aspect is to engage programmers 
and software architects who have 
been trained in secure software 
development. 


ES-C2M2 
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Term 


Separation of duties 


Definition 


[A security control that] 
‘addresses the potential for abuse 
of authorised privileges and helps 
to reduce the risk of malevolent 
activity without collusion. 
Separation of duties includes, for 
example: (i) dividing mission 
functions and information system 
support functions among different 
individuals and/or roles; 


(ii) conducting information system 
support functions with different 
individuals (e.g., system 
management, programming, 
configuration management, quality 
assurance and testing, and network 
security); and (iii) ensuring security 
personnel administering access 
control functions do not also 
administer audit functions. 
Organisations with significant 
personnel limitations may 
compensate for the separation of 
duty security control by 
strengthening the audit, 
accountability, and personnel 
security controls.’ 


Source 


NIST 800-53, pp. 31, F- 
13 


Service level 
agreement (SLA) 


Defines the specific responsibilities 
of the service provider, including 
the satisfaction of any relevant 
cyber security requirements, and 
sets the customer's expectations 
regarding the quality of service to 
be provided. 


Adapted from CNSSI 
4009 


Single point of failure 
(SPOF) 


An environment/system where one 
failure can result in the failure of the 
entire system. For high availability 
systems, a design goal is to reduce 
the number of single points of 
failure. 


AESCSF 
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Term 


Situational awareness 


Definition 


A sufficiently accurate and up-to- 
date understanding of the past, 
current, and projected future state 
of a system (including its cyber 
security safeguards), in the context 
of the threat environment and risks 
to the system's mission, to support 
effective decision making with 
respect to activities that depend on 
and/or affect how well a 

system functions. It involves the 
collection of data (e.g., via sensor 
networks), data fusion, and data 
analysis (which may include 
modelling and simulation) to 
support automated and/or human 
decision making (for example, 
concerning power system 
functions). Situational awareness 
also involves the presentation of 
the results of the data analysis ina 
form (e.g., using data visualisation 
techniques, appropriate use of 
alarms) that aids human 
comprehension and allows 
operators or other personnel to 
quickly grasp the key elements 
needed for good decision making. 


Source 


Adapted from SGMM 
Glossary 


Sponsorship 


Enterprise-wide support of cyber 
security objectives by senior 
management as demonstrated by 
formal policy or by declarations of 
management's commitment to the 
cyber security program along with 
provision of resources. Senior 
management monitors the 
performance and execution of the 
cyber security program and is 
actively involved in the ongoing 
improvement of all aspects of the 
cyber security program. 


ES-C2M2 
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Term 


Stakeholder 


Definition 


An external organisation or an 
internal or external person or group 
that has a vested interest in the 
organisation or function (that is 
being evaluated using this model) 
and its practices. Stakeholders 
involved in performing a given 
practice (or who oversee, benefit 
from, or are dependent upon the 
quality with which the practice is 
performed) could include those 
from within the function, from 
across the organisation, or from 
outside the organisation. 


Source 


Adapted from CERT 
RMM 


Standard 


A standard is a document, 
established by consensus that 
provides rules, guidelines, or 
characteristics for activities or their 
results. See guidelines. 


Adapted from ISO/IEC 
Guide 2:2004 


States of operation 


See pre-defined states of 
operation. 


ES-C2M2 


Strategic objectives 


The performance targets that the 
organisation sets to accomplish its 
mission, vision, values, and 
purpose. 


CERT RMM 


Strategic planning 


The process of developing strategic 
objectives and plans for meeting 
these objectives. 


CERT RMM 


STTM 


The Short Term Trading Market - a 
market-based wholesale gas 
balancing mechanism established 
at defined gas hubs in Sydney, 
Adelaide and Brisbane 


AEMO 
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Term Definition Source 
Supply chain The set of organisations, people, NISTIR 7622 Source of 
activities, information, and 1st paragraph cited as 


resources for creating and moving | [NDIA ESA] 
a product or service (including its 
sub-elements) from suppliers 
through to an organisation's 
customers. The supply chain 
encompasses the full product life 
cycle and includes design, 
development, and acquisition of 
custom or commercial off-the-shelf 
(COTS) products, system 
integration, system operation (in its 
environment), and disposal. 

People, processes, services, 
products, and the elements that 
make up the products wholly impact 


the supply chain. 
Supply chain risk Supply chain risk is measured by Adapted from NIST 
the likelihood and severity of 7622, pg. 7 & pg. 10 


damage if an IT or OT system is 
compromised by a supply 

chain attack, and takes into 
account the importance of the 
system and the impact of 
compromise on organisational 
operations and assets, individuals, 
other organisations, and the Nation. 
Supply chain attacks may involve 
manipulating computing system 
hardware, software, or services at 
any point during the life cycle. 
Supply chain attacks are typically 
conducted or facilitated by 
individuals or organisations that 
have access through commercial 
ties, leading to stolen critical data 
and technology, corruption of the 
system/ infrastructure, and/or 
disabling of mission-critical 
operations. See risks and supply 
chain. 


Target State For Participants in the Electricity AESCSF 
sub-sector, the criticality result (as 
assessed by the E-CAT) 
determines a recommended Target 
State. See the AESCSF Framework 
Overview for additional information. 
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Term 


Telecommunications 


Definition 


Internal private telecommunication 
hardware. Telecommunications 
networks that earn additional 
revenue may be classified as 
Regulated Telecommunications 


Source 


AESCSF 


Terminal (storage 


a building or area with large tanks 


Collinsdictionary.com 


potential to adversely impact 
organisational operations (including 
mission, functions, image, or 
reputation), resources, and other 
organisations through IT, OT, or 
communications infrastructure via 
unauthorised access, destruction, 
disclosure, modification of 
information, and/or denial of 
service. 


terminal) for storing oil, gas, and other 
petrochemical products. 
Threat Any circumstance or event with the | Adapted from DOE 


RMP 


Threat assessment 


The process of evaluating the 
severity of threat to an IT and ICS 
or organisation and describing the 
nature of the threat. 


DOE RMP 


Threat profile 


A characterisation of the likely 
intent, capability, and targets for 
threats to the function. It is the 
result of one or more threat 
assessments across the range of 
feasible threats to the IT and OT of 
an organisation and to the 
organisation itself, delineating the 
feasible threats, describing the 
nature of the threats, and 
evaluating their severity. 


ES-C2M2 


Threat source 


An intent and method targeted at 
the intentional exploitation of a 
vulnerability or a situation, or a 
method that may accidentally 
exploit a vulnerability. 


DOE RMP 
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Term 


Traceability 


Definition 


The ability to determine whether or 
not a given attribute of the current 
state is valid (e.g., the current 
configuration of a system or the 
purported identity of a user) based 
on the evidence maintained ina 
historical record showing how the 
attribute was originally established 
and how it has changed over time. 


Source 


ES-C2M2 


Transmission 


The movement or transfer of 
electric energy over an 
interconnected group of lines and 
associated equipment between 
points of supply and points at which 
it is transformed for delivery to 
consumers or is delivered to other 
electric systems. Transmission is 
considered to end when the energy 
is transformed for distribution to the 
consumer. 


EIA Glossary 


Transmission Network 
Service Provider 
(TNSP) 


Owner and operator of the high- 
voltage transmission towers, 
electrical substations, and wires 
that transport electricity. 


AESCSF 


Upstream 
dependencies 


External parties on which the 
delivery of the function depends, 
including suppliers and some 
operating partners. 


ES-C2M2 


Validate 


Collect and evaluate evidence to 
confirm or establish the quality of 
something (e.g., information, a 
model, a product, a system, or 
component) with respect to its 
fitness for a particular purpose. 


ES-C2M2 


Virtual Power Plants 
(VPP) 


A Virtual Power Plant (VPP) refers 
to an aggregation of resources, 
coordinated using software and 
communications technology, to 
deliver services that have 
traditionally been performed by a 
conventional power plant. In 
Australia, grid connected VPPs are 
focused on coordinating rooftop PV 
and battery storage. 


AEMO 
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Term 


Vulnerability 


Definition 


A cyber security vulnerability is a 
weakness or flaw in IT, OT, or 
communications systems or 
devices, system procedures, 
internal controls, or implementation 
that could be exploited by a threat 
source. A vulnerability class is a 
grouping of common 
vulnerabilities. 


Source 


Adapted from NISTIR 
7628 Vol. 1, pp. 8 


Vulnerability 
assessment 


Systematic examination of an IT or 
product to determine the adequacy 
of cyber security measures, identify 
security deficiencies, provide data 
from which to predict the 
effectiveness of proposed cyber 
security measures, and confirm the 
adequacy of such measures after 
implementation. 


DOE RMP 


Wholesale Electricity 
Market (WEM) 


The Wholesale Electricity Market in 
Western Australia facilitates 
competition and private investment, 
and allows generators and 
wholesale purchasers of electricity 
greater flexibility as to how they sell 
or procure electricity, and who they 
transact with. 


AESCSF 


Wide area network 
(WAN) 


The hardware and software 
configuration of devices that enable 
data communications across sites. 
WAN technologies can include both 
Internet Protocol (IP) and Time 
Division Multiplex (TDM)/Serial 
Network technologies. 


AESCSF 
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Term Definition Source 


Workforce life cycle For the purpose of this model, the ES-C2M2 
workforce life cycle comprises the 
distinct phases of workforce 
management that apply to 
personnel both internal and 
external to the organisation. 
Specific cyber security implications 
and requirements are associated 
with each life cycle phase. The 
workforce life cycle includes 
recruiting, hiring, on boarding, skill 
assessments, training and 
certification, assignment to roles 
(deployment), professional growth 
and development, re-assignment 
and transfers, promotions and 
demotions, succession planning, 
and termination or retirement. The 
phases may not be in strict 
sequences, and some phases (like 
training, re-assignment, and 
promotions) may recur. 


Workforce See cyber security workforce ES-C2M2 
management management objectives. 
objectives 
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